Summary
Security audit of adminset identified 4 authorization vulnerabilities across the DevOps platform.
Findings
1. CRITICAL: Unauthenticated File Manager (elFinder Connector)
File: elfinder/views.py:11-136
The ElfinderConnectorView class has zero authentication — no LoginRequiredMixin, no @login_required, no custom auth checks. The dispatch() method only applies @csrf_exempt. This provides a full file manager supporting: browse/read, upload, delete, mkdir, rename, paste.
Comparison: The mfile/views.py finder view that renders the elFinder UI has LoginRequiredMixin + @permission_verify(). The backend connector performing all filesystem operations has no auth.
Fix: Add LoginRequiredMixin and permission_verify to ElfinderConnectorView.
2. CRITICAL: WebSSH Authorization Bypass via Empty Permission Set
File: cmdb/asset.py:286-297
The WebSSH auth logic iterates over permitted groups and returns 403 if any permitted group is not in the host's groups. When a user's role has an empty webssh permission set, the loop never executes and falls through to granting full access.
perms = request.user.role.webssh.all() # Empty if no perms assigned
for p in perms: # Loop never executes if empty
if p not in group:
return HttpResponse("forbidden!", status=403)
# Falls through — FULL ACCESSComparison: The delivery module builds allowed list FROM the permission set — empty set = empty results.
Fix: Add if not perms: return HttpResponse("forbidden!", status=403) before the loop.
3. HIGH: Command Injection via job_backend_task
File: setup/jobs.py:244-250
URL parameters concatenated directly into Popen(cmd, shell=True). Currently constrained by \w+ URL regex, but no application-level sanitization.
Fix: Use subprocess.run() with a list argument (no shell=True), or validate against an allowlist.
4. HIGH: node_status Missing @permission_verify
File: cmdb/asset.py:300-332
Has @login_required() but missing @permission_verify(). Any authenticated user queries any host's status.
Comparison: Every other CMDB view has both decorators.
Fix: Add @permission_verify() decorator.
Impact
Unauthenticated filesystem access. Users with no webssh permissions get shell access to all hosts.
Disclosure
This report was generated during a systematic open-source security audit. I'm happy to discuss any findings or assist with fixes.
Summary
Security audit of adminset identified 4 authorization vulnerabilities across the DevOps platform.
Findings
1. CRITICAL: Unauthenticated File Manager (elFinder Connector)
File:
elfinder/views.py:11-136The
ElfinderConnectorViewclass has zero authentication — noLoginRequiredMixin, no@login_required, no custom auth checks. Thedispatch()method only applies@csrf_exempt. This provides a full file manager supporting: browse/read, upload, delete, mkdir, rename, paste.Comparison: The
mfile/views.pyfinderview that renders the elFinder UI hasLoginRequiredMixin+@permission_verify(). The backend connector performing all filesystem operations has no auth.Fix: Add
LoginRequiredMixinandpermission_verifytoElfinderConnectorView.2. CRITICAL: WebSSH Authorization Bypass via Empty Permission Set
File:
cmdb/asset.py:286-297The WebSSH auth logic iterates over permitted groups and returns 403 if any permitted group is not in the host's groups. When a user's role has an empty webssh permission set, the loop never executes and falls through to granting full access.
Comparison: The delivery module builds allowed list FROM the permission set — empty set = empty results.
Fix: Add
if not perms: return HttpResponse("forbidden!", status=403)before the loop.3. HIGH: Command Injection via job_backend_task
File:
setup/jobs.py:244-250URL parameters concatenated directly into
Popen(cmd, shell=True). Currently constrained by\w+URL regex, but no application-level sanitization.Fix: Use
subprocess.run()with a list argument (noshell=True), or validate against an allowlist.4. HIGH: node_status Missing @permission_verify
File:
cmdb/asset.py:300-332Has
@login_required()but missing@permission_verify(). Any authenticated user queries any host's status.Comparison: Every other CMDB view has both decorators.
Fix: Add
@permission_verify()decorator.Impact
Unauthenticated filesystem access. Users with no webssh permissions get shell access to all hosts.
Disclosure
This report was generated during a systematic open-source security audit. I'm happy to discuss any findings or assist with fixes.